Tesco Bank: counting the true cost of an online robbery

Author: Clayton Locke

The breach

On 6th November Tesco Bank began alerting customers by SMS about “suspicious activity” on their accounts. Cards were blocked as a precaution and in an official statement the bank reassured customers that the activity only affected a “small proportion” of its more than 130,000 current account customers.

The following day news outlets reported that 20,000 customers were in the firing line with some individuals reporting the loss of thousands of pounds from their accounts.

Tesco confirmed the losses in a follow-up statement from Chief Executive Benny Higgins who confirmed that “…over the weekend, some of [Tesco Bank’s] customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.”

The bank would also later confirm that the activity had started on 5th November and that “Around 9,000 customers were affected by these fraudulent transactions”.

Tesco Bank also reported that it has now resumed “normal service” and refunded all its affected customers.

Numerous articles have been written on the subject of the Tesco robbery in the few days since it occurred and there are plenty of theories about how it might have occurred. The truth is that there’s almost no information in the public domain and for all the noise and discussion we simply don’t know what happened.

My feeling is that Tesco are trying to be transparent but the fact is that they’re in the middle of a police investigation. That investigation is being run by the NCA (National Crime Agency) with the assistance of the NCSC (National Cyber Security Centre) and part of NCSC’s role is to “investigate the root causes of the incident”.

I’ll leave it for others to conjecture about how it happened and focus instead on what an incident like this might mean for Tesco Bank’s bottom line.

Direct financial costs

According to press reports, refunding customers has cost Tesco about £2.5 million. The bank could face further financial penalties in the form of fines levied by the ICO (Information Commissioner’s Office), the UK body charged with enforcing “information rights”.

Communications company TalkTalk suffered a data breach this time last year and were fined £400,000 by the ICO after it found that the company “should and could have done more to safeguard its customer information”.

That’s small fry compared to what Tesco could have faced if the UK had ratified the EU’s General Data Protection Regulation. Commentators have suggested that if the new regulations, slated to come into force in May 2018, were in place now then Tesco could be staring down the barrel at fines closer to £2 billion.

Indirect costs

Aside from the cost of fines and refunds Tesco bank now also faces the prospect of lost customers.

Research by Deloitte suggests that one third of consumers would close an online account if the company they held it with was involved in a data breach. The research covers all types of organisations, not just banks, and the loss of personal information rather than the potentially more serious loss of money.

For comparison TalkTalk’s November 2015 data breach cost the company an estimated £80 million. The company put the cost of restoring and securing its online presence at £45 million, the cost of lost revenue at £20 million and the cost of “disruption” at £15 million.

The true cost of lost revenue is likely to have been far higher. The company’s estimate of £20 million only covers the financial quarter following the breach and it occurred because of the abrupt departure of 100,000 customers. I assume that most of those people would otherwise have continued as TalkTalk customers for years rather than months, that they’re extremely unlikely to come back and that some people will not now join TalkTalk who might otherwise have done so.

Opportunity costs

Of course the comparison between the two companies has its limits – TalkTalk had already chipped away at its own reputation with earlier data breaches and badly mishandled its communications following the most recent hack.

Tesco reacted quickly to reassure its customers and avoided the kind of ‘thinking out loud’ PR disaster engaged in by TalkTalk. But it also wasn’t prepared for the volume of calls it invited into its call centre, leaving too many customers waiting in phone queues. Trust is a critical attribute for banks and I expect that customers will hold a bank to a higher standard than an ISP.

Unlike TalkTalk, which has a 14% market share and is one of the ‘big four’ broadband providers in the UK, Tesco Bank is a relatively small player in the retail banking market. Like other banks outside banking’s own ‘big four’, it was has struggled to attract significant numbers of current account customers.

The UK’s high street banks aren’t always well-loved but their retail banking brands have accumulated a deep well of trust for centuries. Customers are loyal and newcomers to the retail banking sector find themselves swimming upstream as a result.

Speaking to Reuters in 2015, Higgins admitted as much saying “I think that we can aspire to be a significant player but I think the nature of the market means it will take time … I think the current account is going to be a long burner”.

Tesco should respond publicly to restore confidence in its online security, or it might be a very long burner indeed.

22 Nov 2016

Author: Clayton Locke

The breach

On 6th November Tesco Bank began alerting customers by SMS about “suspicious activity” on their accounts. Cards were blocked as a precaution and in an official statement the bank reassured customers that the activity only affected a “small proportion” of its more than 130,000 current account customers.

The following day news outlets reported that 20,000 customers were in the firing line with some individuals reporting the loss of thousands of pounds from their accounts.

Tesco confirmed the losses in a follow-up statement from Chief Executive Benny Higgins who confirmed that “…over the weekend, some of [Tesco Bank’s] customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.”

The bank would also later confirm that the activity had started on 5th November and that “Around 9,000 customers were affected by these fraudulent transactions”.

Tesco Bank also reported that it has now resumed “normal service” and refunded all its affected customers.

Numerous articles have been written on the subject of the Tesco robbery in the few days since it occurred and there are plenty of theories about how it might have occurred. The truth is that there’s almost no information in the public domain and for all the noise and discussion we simply don’t know what happened.

My feeling is that Tesco are trying to be transparent but the fact is that they’re in the middle of a police investigation. That investigation is being run by the NCA (National Crime Agency) with the assistance of the NCSC (National Cyber Security Centre) and part of NCSC’s role is to “investigate the root causes of the incident”.

I’ll leave it for others to conjecture about how it happened and focus instead on what an incident like this might mean for Tesco Bank’s bottom line.

Direct financial costs

According to press reports, refunding customers has cost Tesco about £2.5 million. The bank could face further financial penalties in the form of fines levied by the ICO (Information Commissioner’s Office), the UK body charged with enforcing “information rights”.

Communications company TalkTalk suffered a data breach this time last year and were fined £400,000 by the ICO after it found that the company “should and could have done more to safeguard its customer information”.

That’s small fry compared to what Tesco could have faced if the UK had ratified the EU’s General Data Protection Regulation. Commentators have suggested that if the new regulations, slated to come into force in May 2018, were in place now then Tesco could be staring down the barrel at fines closer to £2 billion.

Indirect costs

Aside from the cost of fines and refunds Tesco bank now also faces the prospect of lost customers.

Research by Deloitte suggests that one third of consumers would close an online account if the company they held it with was involved in a data breach. The research covers all types of organisations, not just banks, and the loss of personal information rather than the potentially more serious loss of money.

For comparison TalkTalk’s November 2015 data breach cost the company an estimated £80 million. The company put the cost of restoring and securing its online presence at £45 million, the cost of lost revenue at £20 million and the cost of “disruption” at £15 million.

The true cost of lost revenue is likely to have been far higher. The company’s estimate of £20 million only covers the financial quarter following the breach and it occurred because of the abrupt departure of 100,000 customers. I assume that most of those people would otherwise have continued as TalkTalk customers for years rather than months, that they’re extremely unlikely to come back and that some people will not now join TalkTalk who might otherwise have done so.

Opportunity costs

Of course the comparison between the two companies has its limits – TalkTalk had already chipped away at its own reputation with earlier data breaches and badly mishandled its communications following the most recent hack.

Tesco reacted quickly to reassure its customers and avoided the kind of ‘thinking out loud’ PR disaster engaged in by TalkTalk. But it also wasn’t prepared for the volume of calls it invited into its call centre, leaving too many customers waiting in phone queues. Trust is a critical attribute for banks and I expect that customers will hold a bank to a higher standard than an ISP.

Unlike TalkTalk, which has a 14% market share and is one of the ‘big four’ broadband providers in the UK, Tesco Bank is a relatively small player in the retail banking market. Like other banks outside banking’s own ‘big four’, it was has struggled to attract significant numbers of current account customers.

The UK’s high street banks aren’t always well-loved but their retail banking brands have accumulated a deep well of trust for centuries. Customers are loyal and newcomers to the retail banking sector find themselves swimming upstream as a result.

Speaking to Reuters in 2015, Higgins admitted as much saying “I think that we can aspire to be a significant player but I think the nature of the market means it will take time … I think the current account is going to be a long burner”.

Tesco should respond publicly to restore confidence in its online security, or it might be a very long burner indeed.